rusackas commented on PR #40454: URL: https://github.com/apache/superset/pull/40454#issuecomment-4700689973
Same thinking as #39646: the Impala cancel-query request uses the host from the database connection, and configuring that connection is a privileged action, so a user who can set the host is already in the trusted DB-management tier per SECURITY.md rather than crossing a privilege boundary. CI's also red here. Closing, but if you can show an unprivileged role (Public/Gamma/sql_lab) reaching this with an attacker-controlled host, reopen with that role from the capability matrix and we'll revisit. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
